Flickr 
Privacy Impact Assessment 





Department of the Interior 
Privacy Impact Assessment 


April 28, 2011 
Name of Project: Flickr 
Bureau: Department of the Interior 
Project’s Unique ID (Exhibit 300): N/A 


A. CONTACT INFORMATION: 


Departmental Privacy Office 

Office of the Chief Information Officer 
U.S. Department of the Interior 
202-208-1605 

DOI Privacy@ios.doi.gov 


B. SYSTEM APPLICATION/GENERAL INFORMATION: 


1) Does this system contain any information about individuals {this question is applicable to 
the system and any minor applications covered under this system}? 


Flickr is an online image and video hosting and sharing application operated by a third party 
which allows users to upload and share images such as photographs and videos. Information 
identifiable to the individual may be present within the Flickr application. DOI uses Flickr to post 
images of public events and mission related activities, and does not collect or maintain Personally 
Identifiable Information (PII) from Flickr users. 


a. Is this information identifiable to the individual’ {this question is applicable to the 
system and any minor applications covered under this system}? (If there is NO 
information collected, maintained, or used that is identifiable to the individual in the system, 
Sections D through G can be marked not applicable. If YES complete all sections for system 
and any applicable minor applications). 


Yes, images, videos or comments posted on Flickr may contain information identifiable to 
individuals. 


b. Is the information about individual members of the public {this question is applicable 
to the system and any minor applications covered under this system}? (If YES, a PIA 
must be submitted with the OMB Exhibit 300, and with the IT Security C&A documentation). 





* “Identifiable Form” - According to the OMB Memo M-03-22, this means information in an IT system or 
online collection: (i) that directly identifies an individual (e.g., name, address, social security number or 
other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency 
intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. 
(These data elements may include a combination of gender, race, birth date, geographic indicator, and 
other descriptors). 
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2) 


3) 


Yes, images, videos or comments posted on Flickr may contain information identifiable to 
individual members of the public. 


c. Is the information about employees {this question is applicable to the system and any 
minor applications covered under this system}? (If yes and there is no information about 
members of the public, the PIA is required for the DOI IT Security C&A process, but is not 
required to be submitted with the OMB Exhibit 300 documentation). 


Yes, images, videos or comments posted on Flickr may contain information that is identifiable 
to individual employees. 


What is the purpose of the system/application? 


Flickr is an online image and video hosting and sharing service which serves as a distribution 
point for images such as photographs and videos which can be viewed world-wide. Flickr allows 
users to upload, share, and view photographs and videos, and post comments. Users can 
download other individuals’ photos if the creator has assigned a Creative Commons license that 
allows the images to be downloaded. The images can then be embedded on the user’s own web 
page. Images may be geo-tagged with the location name or latitude and longitude coordinates 
of the place at which they were taken. 


DOI uses Flickr to distribute images of its mission related activities, to promote Departmental 
programs, and enhance public outreach and government transparency. The primary account 
holder is the Department of the Interior Office of Communications, who ensures information 
posted on the Department's official Flickr page is appropriate and approved for public 
dissemination. Use of Flickr allows DOI to reach a much wider audience and greatly increases 
the visibility of DOI activities and operations. 


What legal authority authorizes the purchase or development of this system/application? 


Presidential Memorandum on Transparency and Open Government, January 21, 2009; OMB M- 
10-06, Open Government Directive, Dec. 8, 2009; OMB M-10-23, Guidance for Agency Use of 
Third-Party Websites and Applications; the Paperwork Reduction Act, 44 U.S.C. 3501; the 
Clinger-Cohen Act of 1996, 40 USC 1401; OMB Circular A-130; 110 Departmental Manual 18, 
110 Departmental Manual 5. 


DATA IN THE SYSTEM: 


1) 


2) 


What categories of individuals are covered in the system? 


Flickr users include members of the general public, private organizations and Federal employees; 
however, DOI does not collect, maintain, or disseminate PII from Flickr users. 


What are the sources of the information in the system? 


Sources of information are Flickr users world-wide, including members of the general public, 
Federal employees, private organizations and Federal, Tribal, State and Local agencies, who 
post comments on DOl’s official Flickr page. Official images and information posted by DOI on 
Flickr is also available on DOI official websites. 


a. Is the source of the information from the individual or is it taken from another source? 
If not directly from the individual, then what other source? 
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Sources of information are Flickr users, including members of the general public, private 
organizations and Federal employees; however, DOI does not collect, maintain, or 
disseminate PII from Flickr users. The official images and information posted by DOI has 
been reviewed and approved for public dissemination and is also available on DOI official 
websites. 


What Federal agencies are providing data for use in the system? 


No other Federal agencies are providing PII for use in Flickr. Federal agencies may utilize 
Flickr to disseminate images and/or videos of agency activities and operations to enhance 
communication and government transparency; however, DOI does not receive PII or other 
information from Federal agencies through the use of Flickr. 


What Tribal, State and local agencies are providing data for use in the system? 


Tribal, state and local agencies may utilize Flickr to disseminate images and/or videos of 
agency activities and operations; however, DOI does not receive PII or other information from 
these agencies through the use of Flickr. 


From what other third party sources will data be collected? 


None. DOI does not receive PII or other information from third party sources through the use 
of Flickr. 


What information will be collected from the employee and the public? 


DOI does not collect, maintain or disseminate PII from Flickr users; however, there may be 
instances where PII becomes available. For instance, if a member of the public posts a 
comment on DOl’s Flickr page, their username, profile images, photographs that may contain 
geo-location information, or other identifiable information contained in comments may 
become available to DOI. Flickr allows users to geo-tag their images and videos, which tags 
them with the location name or latitude and longitude coordinates of the place at which they 
were taken. Geo-tagging may provide users with the location of the content of a given image 
or video. The Department does not collect or share PII from Flickr users, except in 
circumstances where there is evidence of criminal activity, a threat to the government or the 
public, or when an employee violates DOI policy. This information may include username, 
profile image or posted content, and the appropriate law enforcement organizations will be 
notified. 


Flickr users are subject to Flickr’s privacy and security policies and terms of use, and can set 
their own privacy settings to protect their personal information. DOI does not control the 
content or privacy policy on Flickr, or Flickr's use of user information. DOI’s Privacy Policy 
informs the public that they are subject to third party social media website privacy and 
security policies, and DOI also informs the public that they may be subject to third party 
privacy policies when they leave a DOI official website to link to third party social media web 
sites. 


3) Accuracy, Timeliness, and Reliability 


a. 


How will data collected from sources other than DOI records be verified for accuracy? 


DOI does not collect or maintain PII from Flickr users, thus does not verify any data for 
accuracy. Official images and information posted by DOI on Flickr are reviewed and 
approved for public dissemination prior to posting. 
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b. How will data be checked for completeness? 


DOI does not check data posted by Flickr users for completeness. Official images and 
information posted on Flickr by DOI are reviewed and approved for public dissemination prior 
to posting. 


c. Is the data current? What steps or procedures are taken to ensure the data is current 
and not out-of-date? Name the document (e.g., data models). 


DOI does not collect or maintain PII from Flickr users, thus does not ensure the data is 
current. Official images and information posted by DOI on Flickr are reviewed and approved 
for public dissemination prior to posting. 


d. Are the data elements described in detail and documented? If yes, what is the name of 
the document? 


DOI does not collect or maintain PII from Flickr users. 


D. ATTRIBUTES OF THE DATA: 


1) 


2) 


3) 


4) 


5) 


6) 


Is the use of the data both relevant and necessary to the purpose for which the system is 
being designed? 


DOI uses Flickr to distribute images and information on mission related activities and operations 
and to enhance communication and government transparency which is relevant to the purpose of 
the Flickr social media application. 

Will the system derive new data or create previously unavailable data about an individual 
through aggregation from the information collected, and how will this be maintained and 
filed? 

No, DOI does not collect, maintain or disseminate PII from Flickr users. 

Will the new data be placed in the individual’s record? 


No, DOI does not collect, maintain or disseminate PII from Flickr users. 


Can the system make determinations about employees/public that would not be possible 
without the new data? 


No, DOI does not collect, maintain or disseminate PII from use of Flickr. 
How will the new data be verified for relevance and accuracy? 


DOI does not collect, maintain or disseminate PII from Flickr users, and does not verify data for 
relevance and accuracy. 


If the data is being consolidated, what controls are in place to protect the data from 
unauthorized access or use? 


DOI does not collect, maintain or disseminate PII from Flickr users, so no data is being 
consolidated. 
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7) 


8) 


9) 


If processes are being consolidated, are the proper controls remaining in place to protect 
the data and prevent unauthorized access? Explain. 


DOI does not collect, maintain or disseminate PII from Flickr users, so no data is being 
consolidated . 


How will the data be retrieved? Does a personal identifier retrieve the data? If yes, 
explain and list the identifiers that will be used to retrieve information on the individual. 


Data will not be retrieved as DOI does not collect, maintain or disseminate data from Flickr users. 
However, if a member of the public submits feedback from their use of Flickr, their username, 
profile image or contact information may become available and used to provide additional 
information. Also, there may be cases where there is evidence of criminal activity, a threat to the 
government or the public, or an employee violates DOI policy. This information may include 
username, image and comments, and the appropriate law enforcement organizations will be 
notified. 


What kinds of reports can be produced on individuals? What will be the use of these 
reports? Who will have access to them? 


Reports on individuals will not be generated. 


10) What opportunities do individuals have to decline to provide information (i.e., where 


providing information is voluntary) or to consent to particular uses of the information 
(other than required or authorized uses), and how individuals can grant consent.) 


Flickr users can decline to provide information, generally via regular system and privacy settings, 
and can control access to their personal information. However, the provision of information and 
user consent applies only to terms of use for Flickr. DOI has no control over Flickr content and 
privacy settings, and does not collect any PII from Flickr users. 


E. MAINTENANCE AND ADMINISTRATIVE CONTROLS: 


1) 


2) 


What are the retention periods of data in this system? 


DOI does not collect, maintain or disseminate PII from use of Flickr. Any information posted on 
Flickr, including DOI’s official Flickr page, is subject to Flickr’s privacy, security and records 
policies, and DOI has no control over the management of such information. However, as part of 
its public outreach effort, DOI posts photographs on Flickr regarding its mission-related activities 
and operations, which may be subject to Federal records requirements. DOI has submitted a 
social media records schedule to the National Archives and Records Administration for approval. 
The social media records schedule is for the management of general electronic records of official 
information postings published by DOI, and includes various activities that integrate web 
technology, social interaction and user-generated content. The records disposition is temporary, 
and records are destroyed when no longer needed for agency business. However, pending 
NARA approval, all records are treated as permanent. 


What are the procedures for disposition of the data at the end of the retention period? 
How long will the reports produced be kept? Where are the procedures documented? 


Disposition of paper records includes shredding, burning and tearing, and electronic records are 
degaussed in accordance with Office of the Secretary social media records schedule 1408 and 
384 DM1. 
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3) 


4) 


5) 


How does the use of this technology affect public/employee privacy? 


Affect on public/employee privacy is minimal as DOI does not collect, maintain, or disseminate 
any PII from Flickr users. However, DOI does post images on its mission-related activities and 
operations on Flickr. The official information posted by DOI has been reviewed and approved for 
public dissemination so any privacy risks for the unauthorized disclosure of personal data by the 
Department is mitigated. DOI does not have any control over personal information posted by 
individual Flickr users, including members of the general public and Federal employees. 


Flickr users are subject to Flickr’s privacy policy and terms of use, and can set their own privacy 
settings to protect their personal information. DOI does not control the content or privacy policy 
on Flickr. DOI’s Privacy Policy informs the public that they are subject to third party social media 
website privacy and security policies, and DOI also informs the public that they may be subject to 
third party privacy policies when they leave a DOI official website to link to third party social 
media web sites. 


Under which Privacy Act systems of records notice does the system operate? Provide 
number and name. 


DOI has developed DOI-08, Social Networks System of Records Notice (SORN), which is 
expected to be published in June 2011, for referrals for criminal activity, threats to the 
government or the public, and to enable DOI Bureaus or Offices to implement public outreach 
programs associated with third party social media applications that may contain usernames 
and/or contact information and result in the creation of a Privacy Act system of records. DOI 
does not collect, maintain or disseminate PII obtained from the use of Flickr. 


If the system is being modified, will the Privacy Act system of records notice require 
amendment or revision? Explain. 


N/A — DOI-08 Social Networks System of Records Notice is expected to be published in June 
2011. 


F. ACCESS TO DATA: 


1) 


2) 


3) 


Who will have access to the data in the system? (E.g., contractors, users, managers, 
system administrators, developers, tribes, other) 


Flickr users set their own privacy settings to allow access to their data. There could potentially be 
millions of Flickr users who have access to information posted on Flickr, including the general 
public, Federal employees, private organizations, and Federal, State, Tribal and local agencies. 
DOI has official Flickr pages and has the same access to data as other Flickr users. DOI has no 
control over user settings or content, and does not collect, maintain or disseminate PII from Flickr. 


How is access to the data by a user determined? Are criteria, procedures, controls, and 
responsibilities regarding access documented? 


As noted above, access to data is determined by the Flickr user when establishing their privacy 
settings. The privacy settings and policy are governed and controlled by Flickr. DOI has no 
control over access controls in Flickr. 


Will users have access to all data on the system or will the user’s access be restricted? 
Explain. 





6 of 7 


Flickr 
Privacy Impact Assessment 





4) 


5) 


Within Flickr, users control access to their own PII, generally via system settings. DOI has the 
same access as any other Flickr user dependent on individual user privacy settings. DOI has no 
control over user content in Flickr, except for official DOI postings. DOI does not collect, maintain 
or disseminate PII from Flickr. 


What controls are in place to prevent the misuse (e.g., unauthorized browsing) of data by 
those having access? (Please list processes and training materials) 


Within Flickr, users control access to their own PII, generally via system settings. DOI has the 
same access as any other Flickr user dependent on individual user privacy settings. DOI has no 
control over user content in Flickr, except for official DOI postings. DOI’s Social Media Policy and 
Guidebooks address the official and unofficial (personal) use of third party social media and 
social networking services by DOI employees, and provides guidance on the appropriate posting 
and content of information. 


Are contractors involved with the design and development of the system and will they be 
involved with the maintenance of the system? If yes, were Privacy Act contract clauses 
inserted in their contracts and other regulatory measures addressed? 


Flickr is a private, third-party website that is independently operated. DOI does not have a part in 
the development or maintenance of Flickr. 
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